More than a month after Microsoft shipped a fix, roughly 1,300 on-premises SharePoint servers remain unpatched against a vulnerability that attackers are actively exploiting, according to internet-scan telemetry reviewed by security researchers. The flaw, tracked as CVE-2026-32201, allows an attacker to spoof identities through improper input validation, potentially giving them a foothold to access documents, manipulate workflows, or move deeper into a corporate network.
The Cybersecurity and Infrastructure Security Agency added the bug to its Known Exploited Vulnerabilities (KEV) catalog on April 14, 2026, confirming that real-world attacks were already underway. Federal civilian agencies faced a hard remediation deadline of April 28. That deadline has now passed, and the exposure picture outside the federal government remains troubling.
What the vulnerability actually does
CVE-2026-32201 targets the way on-premises SharePoint validates certain inputs. When exploited, it lets an attacker forge requests that the server treats as legitimate, effectively impersonating a trusted user or service. Microsoft, which serves as the CVE Numbering Authority for its own products, assigned the flaw a CVSS v3.1 base score of 6.5, placing it in the medium-severity band.
That “medium” label can be misleading. The score measures technical characteristics in isolation: attack vector, complexity, privilege requirements, and impact on confidentiality, integrity, and availability. It does not factor in whether anyone is actually using the exploit. CISA’s KEV inclusion changes the calculus entirely. The agency adds a vulnerability to that catalog only when it has evidence of confirmed exploitation, not just proof-of-concept code or theoretical risk. In practical terms, a 6.5-rated bug that adversaries are already leveraging against production systems demands the same urgency as many higher-scored flaws that remain theoretical.
“Organizations need to stop treating CVSS scores as the sole input to their patching priority,” said Jake Williams, a former NSA operator and faculty member at IANS Research. “When CISA puts something on the KEV list, that is the agency telling you this is being used in real attacks right now. A 6.5 on the KEV list is more dangerous than a 9.8 that nobody has weaponized.”
One important distinction: SharePoint Online, the cloud-hosted version included with Microsoft 365, is managed and patched by Microsoft directly. This vulnerability affects organizations running SharePoint on their own servers, where patching is the customer’s responsibility.
Where the 1,300-server figure comes from
The count of roughly 1,300 exposed servers does not appear in any CISA or NIST publication. It originates from internet-scanning platforms such as Shodan and Censys, which continuously index publicly reachable infrastructure and attempt to match observed software versions against known CVEs. Security researchers routinely use these tools to estimate patch adoption after a high-profile disclosure.
The number is directionally useful but imperfect. A server that shows up in a scan may be unpatched yet still shielded by a web application firewall, strict network segmentation, or other compensating controls. Conversely, compromised servers sitting behind VPN gateways may never appear in a public scan at all. The figure is best understood as a floor estimate of exposure, not a precise count of breached organizations.
Even with those caveats, 1,300 internet-facing SharePoint instances running vulnerable code more than a month after a patch shipped is a significant number. SharePoint deployments typically store sensitive internal documents, HR records, project plans, and executive communications. A single compromised server can give an attacker access to years of institutional knowledge.
Why patching has stalled
CISA’s binding operational directive (BOD 22-01) compels Federal Civilian Executive Branch agencies to remediate KEV-listed flaws within the stated deadline. But the directive has no authority over private companies, state and local governments, universities, or nonprofits. For those organizations, patching timelines depend on internal change-management processes, staffing levels, and risk tolerance, all of which vary enormously.
On-premises SharePoint is particularly difficult to update quickly. Many deployments are heavily customized with third-party web parts, custom workflows, and integrations that can break after a cumulative update. IT teams often require a full regression-testing cycle before pushing changes to production, a process that can stretch from days to weeks. Smaller organizations with limited IT staff may not even be aware the patch exists.
CISA has not published indicators of compromise, named specific threat actors, or described which industries have been targeted. Microsoft has likewise not released a public breakdown of exploitation patterns or geographic distribution. That silence leaves defenders without the granular threat intelligence they need to prioritize resources, and it may contribute to a false sense of security among organizations that assume they are not targets.
What security teams should do right now
The most immediate action is also the most obvious: confirm that every on-premises SharePoint instance in the environment has received the April 2026 cumulative update that addresses CVE-2026-32201. Administrators should reconcile Microsoft’s security guidance against their own server inventory, with special attention to any instance reachable from the internet or from partner networks.
Because the flaw enables spoofing, organizations should also harden authentication controls around SharePoint. Enforcing multifactor authentication on all accounts, restricting access to administrative interfaces by IP range, and disabling legacy authentication protocols can limit what an attacker gains even if they exploit the vulnerability before a patch lands.
Log review is critical. Security teams should examine SharePoint and Active Directory logs from early April 2026 onward, looking for anomalous login patterns, unexpected permission changes, bulk file downloads, or new site collections created by unfamiliar accounts. Any of these could indicate that an attacker exploited the flaw before the patch was applied.
Where operational constraints make immediate patching impossible, temporary safeguards can reduce risk. Pulling SharePoint off the public internet, tightening firewall rules to allow only known IP ranges, and increasing logging verbosity all buy time. Organizations should also verify that current backups of SharePoint content databases are intact and stored offline, in case recovery becomes necessary.
Why a 6.5 CVSS score with confirmed exploitation demands emergency treatment
This situation illustrates a recurring pattern in enterprise security: a vendor ships a patch, a government agency confirms active exploitation, and hundreds of organizations still take weeks or months to act. The CVSS score becomes a convenient excuse to defer. “It’s only a 6.5” translates, in practice, to “we’ll get to it next cycle.”
That logic breaks down the moment attackers are already using the exploit. Every day an unpatched SharePoint server sits on the open internet is another day an intruder can walk through a door that Microsoft closed in early April. For the 1,300-plus organizations still exposed as of late May 2026, the window to act without consequence is closing fast, if it has not closed already.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
